How to Test Your Low-Code Tools for Security Vulnerabilities
Learn what kinds of security issues low-code platforms pose, how developers can identify these security risks, and how to deal with them.
6 October 2021
What you will learn
In this article, we’ll provide a brief introduction to low-code development and the different tools and platforms available for low-code development. After discussing the trends, growth, and a few downsides of low-code platforms, we’ll focus on the article’s main agenda. With security concerns being the most cited issue amongst developers and critics of low-code, we’ll focus on the security vulnerabilities that could occur, how to test them, and how to deal with them.
Low-code development platforms (LCDPs) offer a drag-and-drop or WYSIWYG interface that enables users to write code, rather than a conventional text editor or IDE where the developer must write all the code from scratch. A few examples of low-code development platforms are Appian, Mendix, Tidelift, Salesforce, and Crowdbotics. Low-code apps are becoming increasingly popular; Forrester predicts the total LCDP market to reach 21 billion USD by 2022.
A low-code development environment is not an entirely new concept. For years, design engineers have been using rapid prototyping for 3D printing, CASE (Computer-Aided Software Engineering), and CAD (Computer-Aided Design) software for building products.
LCDPs mimic the same concept as CAD, using a graphical user interface to build programs and abstract the process of hand-writing codes. Many developers and enterprises are beginning to embrace LCDPs because of the benefits they offer. Here are some major advantages of LCDPs:
However, there are a few downsides to LCDPs. For instance, LCDPs can sometimes limit developer creativity by offering fewer customization options. You don’t know the underlying software and the logic used to run your application, leaving a knowledge void there. LCDPs are not often built to support many third-party integrations, either.
However, let’s go ahead and address the most severe concern that teams voice about using LCDPs: security.
Here we’ll see what kind of security issues low-code platforms pose, how developers can identify these loose ends, and how to deal with them.
If an organization is new to the low-code ecosystem, the developer team tends to follow handwritten coding norms. One standard routine followed is using third-party integrations. These external integrations could be with cloud services, applications, or databases.
Integrations could be added for numerous reasons such as search, captcha, shopping cart, login and authentication, emails, messages, and so forth. As discussed earlier, low-code platforms may not natively support the incorporation of such integrations. Hence, they don’t handle any security threats that arise due to such integrations, which are unfortunately a common risk.
Integration-related vulnerabilities could also arise when we try to deploy our application outside of the low-code platform. For this reason, it is best to deploy in the same environment as the LCDP.
What can you do about it?
Developers should avoid using any unsupported integrations for any feature or functionality in the LCDP. The team should receive enough training to get accustomed to the low-code environment. An outside chunk of code could expose the application’s sensitive data, leading to a data breach and other security attacks.
You should build the required functionalities using the low-code platform rather than by using a third-party integration. In most cases, you can achieve this by building your own APIs within the platform. Crowdbotics and a few other low-code platforms let you design custom APIs for various purposes.
Most organizations and developers perceive the low-code environment as a black box where the underlying working is hidden. This is true to a large extent because most of the backend activities in the low-code environment are not visible to the developer. This raises concerns about a few possible security vulnerabilities:
How can you test for these vulnerabilities and tackle them?
Its test coverage includes: intercepting proxy server, traditional and AJAXWeb crawlers, automated scanner, passive scanner, forced browsing, fuzzer, WebSocket support, scripting languages, and plug-n-hack support.
After checking our platform and code concerns, let’s jump into infrastructure vulnerabilities: specifically, cloud services and open-source platforms. Not all LCDPs are commercial or subscription-based; there are many open-source platforms as well.
Open source low-code platforms might rely on many dependencies and third-party integrations. Even if our source code doesn’t pose any security threats, the dependencies and integrations could create a great deal of risk exposure. Hence, it’s imperative to keep the application secure from such attacks. Tools like WhiteSource Bolt could be helpful.
Most LCDPs have built-in deployment to public cloud services. But some platforms allow the developer to choose their cloud service. Private clouds are not much of a problem, but it’s essential to keep security in mind when using a public cloud.
Most of the public cloud services include tools to verify the infrastructure for security. For instance, when the APIs are deployed, the application is tested for security issues in other environments first and then pushed into production. Also, tools such as InSpec provide compliance-as-code to ensure that the intent of the provisioned infrastructure is always being met. Generally speaking, you need to be sure that your cloud instance has some monitoring going on.
There are other tools that continuously run in the background, checking for security attacks. On more open LCDPs, this can be done using CI/CD pipeline tools, which offer continuous protection against malware. Jenkins is a popular open-source CI/CD choice amongst developers. These tools can provide added layers of protection while meeting the organization’s application development demands.
Low-code platforms are a boon to developers and organizations. However, there are various pitfalls to be wary of, the greatest of which is security. As we’ve show, any LCDP’s security questions can be easily answered with some knowledge and practice. There’s a reason LCDPs are popular; the increased speed of development, no strict technical requirements, and easy deployment more than justify the cost of some up-front vetting.
Crowdbotics offers a low-code app builder that provides drag-and-drop visual tools to assemble full-stack applications. These visual tools generate real React Native code for front-end components and Django code for back-end components. This full-code approach is what makes Crowdbotics a great fit for security-focused teams. Not sure if it’s secure? Just check the source code!
If you’d like to hand off your custom application development to an expert team of professional developers, Crowdbotics can also help with that. Just reach out and let us know what you want to build!